System and method of transmitting confidential data

ABSTRACT

Systems and methods for transmitting critical data to a server are provided. The data structure intended for transmission to the server is divided up on the client side into a substructure containing critical data (CD) and a substructure not containing CD. The substructure containing CD is further divided up at the client side into at least two substructures and the resulting substructures are sent consecutively to the server via a node with a transformation module. The substructure not containing CD is sent directly to the server, bypassing the node with the transformation module. After receiving the substructures, they are combined at the server side into a single data structure. The critical data are data with respect to which the law of the state in whose jurisdiction the client or an authorized entity is located imposes restrictions on the gathering, storage, accessing, dissemination and processing thereof.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims benefit of priority under 35 U.S.C. 119(a)-(d)to a Russian Patent Application No. 2019109171 filed Mar. 29, 2019,which is incorporated by reference herein.

FIELD OF TECHNOLOGY

The present disclosure relates generally to the field of informationsecurity, and more specifically, to systems and methods of assuringanonymity for data routing in a client-server architecture.

BACKGROUND

Changes in legislation around the world are forcing information securityspecialists to seek out new methods for managing data coming frompersonal electronic devices. For example, in the Russia Federation a lawwas signed whereby the personally identifiable information of Russiansused by Internet services must be kept on the territory of Russia; inSwitzerland, banks are also required not to allow user data to leave thejuridical territory of the federal government; and in a number ofcountries, personally identifiable information is prohibited from beingkept in open form. The solutions being developed should not make thework of the users of computer systems more difficult and they should beas transparent as possible to the users in their operation.

With the advent of the General Data Protection Regulation (GDPR), thequantity of personal data being kept in a network infrastructure on thepart of various services and being received from users is trendingtoward a minimum. It is necessary to provide distributed storage andprocessing of data obtained from users without losing its uniqueness.

These principles are causing difficulties in the adopting of a cloudinfrastructure in the corporate and private sector. A solution is neededthat will be able to solve these difficulties.

SUMMARY

The present disclosure is designed for the sending of data in aclient-server architecture with anonymity for the data being transmittedand without loss of the completeness and representativeness of theinformation which is needed by the server for analysis and constructionof statistics.

The technical result of the present disclosure is to enable the sendingof critical data to a server.

The object of one or more aspects of the present disclosure is a methodof sending critical data to a server, in which the data structureintended for transmission to the server is divided up on the client sideinto a substructure containing critical data (hereinafter, CD) and asubstructure not containing CD. The substructure containing CD isfurther divided up at the client side into at least two substructuresand the resulting substructures are sent consecutively to the server viaa node with a transformation module. The substructure not containing CDis sent directly to the server, bypassing the node with thetransformation module. After receiving the substructures, they arecombined at the server side into a single data structure. The criticaldata are data with respect to which the law of the state in whosejurisdiction the client or an authorized entity is located imposesrestrictions on the gathering, storage, accessing, dissemination andprocessing thereof. In one aspect, critical data is confidentialdata—any data protected by the law of the state in whose jurisdictionthe client is located; in a particular instance, such data is personaldata.

The network node with the transformation module may be situated in aregional network different from the regional network in which the serveris located, and not be in the same intranet with the server or theclient; the regional network of the network node with the means oftransformation and the regional network of the server may also besituated in different jurisdictions. The regional network may at thesame time be the national network.

The transformation module of the node may transform each datasubstructure passing through it, where the transformation may be done insuccession as the substructures pass through it, and also in aparticular instance the original and the transformed substructure arenot saved at the node after the transformation. In a particularinstance, the transformation module is an anonymization module, and thetransformation itself may be done by means of encryption.

In a particular instance, the data of the substructure not containing CDis transformed by the transformation module with the use of methods ofasymmetrical encryption, where the public key is sent to the client,while the private key is kept at the server.

In another particular instance, the primary transformation of the datasubstructures at the client side is done with no possibility of aninverse transformation of the data by the transformation module, whilethe transformation module performs the secondary transformation of thedata substructure passing through it with no possibility of an inversetransformation at the server or the client side.

The above simplified summary of example aspects serves to provide abasic understanding of the present disclosure. This summary is not anextensive overview of all contemplated aspects, and is intended toneither identify key or critical elements of all aspects nor delineatethe scope of any or all aspects of the present disclosure. Its solepurpose is to present one or more aspects in a simplified form as aprelude to the more detailed description of the disclosure that follows.To the accomplishment of the foregoing, the one or more aspects of thepresent disclosure include the features described and exemplarilypointed out in the claims.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, which are incorporated into and constitute apart of this specification, illustrate one or more example aspects ofthe present disclosure and, together with the detailed description,serve to explain their principles and implementations.

FIG. 1—illustrates a system for data routing in a client-serverarchitecture.

FIG. 2—illustrates a variant of a method of data routing in aclient-server architecture with the data structure being divided intosubstructures by the client.

FIG. 3—illustrates a variant of the method of data routing in aclient-server architecture when executing a request with identificationof substructures in the data structure by an anonymization module.

FIG. 4—illustrates a variant of the method of data routing in aclient-server architecture with identification of substructures in thedata structure by the client.

FIG. 5—illustrates a variant of the method of data routing in aclient-server architecture when executing a request with division of thedata structure into substructures by the client.

FIG. 6a —illustrates an exemplary aspect of the method of data routingin a client-server architecture when sending data (for the constructionof statistics) with division of the data structure into substructures bythe client.

FIG. 6b —illustrates an exemplary aspect of the method of data routingin a client-server architecture upon detecting a targeted attack on theclient based on information gathered by the method of FIG. 6 a.

FIG. 7—illustrates an aspect of the method of data routing in aclient-server architecture when executing a request with identificationof substructures in the data structure by the anonymization module.

FIG. 8—illustrates an aspect of the method of data routing in aclient-server architecture with identification of substructures in thedata structure by the client.

FIG. 9—illustrates an aspect of the method of data routing in aclient-server architecture when executing a request with division of thedata structure into substructures by the client.

FIG. 10—illustrates a system of anonymous data exchange in aclient-server architecture.

FIG. 11—illustrates a variant of a method of data exchange in aclient-server architecture, which is used to obtain data from clientsfor constructing statistics on the server side.

FIG. 12—illustrates a variant method of data exchange, which is usedwhen executing a request of the client to the server.

FIG. 12A—illustrates a variant of the method of data exchange, which isused when executing a request of the client to the server, and includesa combining of substructures.

FIG. 13—illustrates an exemplary aspect of the method of data exchange,when executing a request of the client to the server.

FIG. 13a —illustrates an exemplary aspect of the method of dataexchange, when executing a request of the client to the server inasynchronous mode.

FIG. 14—illustrates a variant method of sending critical data in aclient-server architecture.

FIG. 14A—illustrates an exemplary embodiment of the method of sendingcritical data in a client-server architecture.

FIG. 15—illustrates a table of example rules for a moderation moduleaccording to aspects of the present disclosure.

FIG. 16—illustrates an example of a computer system on which thedisclosed system and method can be implemented according to an exemplaryaspect.

DETAILED DESCRIPTION

Exemplary aspects are described herein in the context of a system,method, and computer program product for transmitting critical data in aclient-server architecture. Those of ordinary skill in the art willrealize that the following description is illustrative only and is notintended to be in any way limiting. Other aspects will readily suggestthemselves to those skilled in the art having the benefit of thisdisclosure. Reference will now be made in detail to implementations ofthe example aspects as illustrated in the accompanying drawings. Thesame reference indicators will be used to the extent possible throughoutthe drawings and the following description to refer to the same or likeitems.

FIG. 1 illustrates a system 100 for data routing in a client-serverarchitecture. The system 100 includes a client 102, a server 104, and anetwork node 106 with an anonymization module 108. The server 104 may bepart of a cloud infrastructure (not shown in the figure), while theclient may be a user's device. The node 106 with the anonymizationmodule 108 may be situated in a regional network 107 different from theregional network in which the server is situated (i.e.,regional-network-2 and regional-network-3), and is not located in thesame intranet as the server 104 or the client 102. As used herein, aregional network 107 refers to a geographically dispersed network,bringing together computers at different points into a whole bycommunication means, the set of regional networks forming a globalnetwork 109. In the context of the present disclosure, differentregional networks 107 are not only geographically separated, but alsoare located in different jurisdictions (i.e., possibly subject todifferent regulations), so that in the context of the present disclosurethe different regional networks may also include networks bringingtogether the nodes of countries (national networks). For example, inFIG. 1, the Regional Network “1” is the network of the United States ofAmerica, the Regional Network “2” is the network of Germany and/or theEuropean Union, and Regional Network “3” is the network of the RussianFederation.

The global network 109 of FIG. 1 is the totality of all the regionalnetworks 107, or the world network, the Internet. In the terminology ofthe GDPR, for example, the regional network of the RF in which theserver is situated will be considered to be a regional network of athird party.

In a particular instance, the regional network 107 of the node 106 withthe anonymization module 108 is also different from the regional networkof the client 102. The arrows in FIG. 1 are depicted as originating froma network, and not from the client, since in the general case theexternal IP address is visible thanks to the use of internal addresshiding technologies, particularly Proxy, NAT (Network AddressTranslation).

The client 102 may include a modification module 110 configured todivide one or more data structures (e.g., which are created fordispatching data from the client to the server) into substructures andto select a route for the obtained substructures. A data structure is acollection of data values generated and maintained by components of thesystem 100, including the client 102 and the server 104. It is notedthat some of the data values in the data structure may be “personaldata”, and therefore subject to data privacy policies and regulations. Asubstructure then is a type of data structure that contains a subset ofthe data values from the original data structure. By way of example, thedata values in the data structure may include data submissions, userrequests, data queries and/or query results, log data, state data of anapplication, records of user transaction(s), user-generated content, andother forms of data suitable for exchange in a client-serverarchitecture. In some examples, a data structure may be in-memory datastructures (e.g., linked lists, hash tables, trees, arrays, databaserecords), or on-disk data structures (e.g., files, blobs). In otherexamples, a data structure may be one or more network data packet(s)configured for the transmission of the data values contained herein fromthe client to the server. The data structure may be serialized, in textformat, in a structured format (e.g., Extendible Markup Language or XML,JavaScript Object Notation or JSON), or other format for informationexchange.

There may be various criteria for the division of a data structure intosubstructures. One such criterion may be the presence of personal data(Personal Identification Information) or special categories thereof (inthe terminology of the GDPR), whereby the data structure is divided upsuch that one substructure contains the personal data (hereinafter, PD,or PII) or special categories thereof, another substructure includesdata which is not personal data (i.e., the other substructure does notcontain PD). The characterization and assignment of data as personaldata can be dictated, for example, by the laws of the country in thejurisdiction of which the user of the device being the client in thesystem being described is situated, in other words, according to thelocation of the data source.

Another criterion for the division of a data structure intosubstructures is the presence of critical data. Critical data is data onwhich the law or an authorized entity imposes restrictions on itsgathering, storage, accessing, dissemination, and processing. Criticaldata is generally sensitive with regard to divulgence, dissemination,and leakage, since the occurrence of these events will lead to aviolation of the rights and the lawfully protected interests of users,as protected by law, and liability is enforced against those who commitinfractions of the rules for gathering, storing, accessing, andprocessing of such data. A particular case of critical data isconfidential data (sensitive data) or confidential information. In thecontext of the present application, confidential data and confidentialinformation are used synonymously. Confidential data refers to datawhich is protected in keeping with the legislation of the country in thejurisdiction of which the user of the device which is the client in thesystem being described is located. Confidential data in a particularcase includes personal data (PD) and data containing commercial secrecy,tax secrecy, banking secrecy, medical secrecy, notarial secrecy,attorney secrecy, audit secrecy, communications secrecy, insurancesecrecy, last testament secrecy, adoption secrecy, confessional secrecy,investigational secrecy, court proceedings secrecy, information onprotected persons, and state secrecy. In one aspect, the critical datamay include sensitive personal data, as specified under the GDPR, whichis any data that reveals racial or ethnic origin, political opinions,religious or philosophical beliefs, trade union membership, dataconcerning health or sex life and sexual orientation, and genetic dataor biometric data (e.g., for the purpose of uniquely identifying anatural person).

The anonymization module 108 is configured to perform a transformationand the inverse transformation of the substructures whose route passesthrough the node 106 with the anonymization module 108. In one aspect, atransformation of substructures may be a transformation of the datacontained in the substructure. In a particular instance, the methods oftransformation of the data of the substructures may include one or moreof quantization, sorting, merging (pasting), grouping, data setconfiguration, table substitution of values, calculated values, dataencoding, encryption, and normalization (scaling).

Certain kinds of transformation may be applied not only to individualdata in the substructure, but also to the substructure as a whole, forexample tokenization and/or encryption. In a particular instance, thetransformation is carried out with no possibility of an inversetransformation by any means other than the anonymization module 108 ofthe node. An inverse transformation refers to a transformation whichrestores the original form of an object of transformation (data, asubstructure) prior to the transformation. Generally, a transformationmay be any mapping (function) of a set onto itself, or in other words,transformations are mappings which translate a certain set into anotherset.

A substructure from the same client may be transformed by theanonymization module 108 by the same method or by different methods. Ifthe transformation is carried out by the same method, then thetransformed substructure or the data of the substructure from the sameclient will have an identical appearance; otherwise, they will differand it will not be possible to construct statistics for the same client(perform a profiling).

The server 104 may include a combining module 112, which is configuredto combine a data structure that was divided at the client side. Thecombining module 112 may combine data, for example, on the basis ofunique identifiers, which are assigned to each substructure during thedivision and are identical for the substructures of the same structure.The combining module 112 receives substructures arriving at the server104 by various network routes and combines them into a structure. Thestructure will clearly be different from the original one, divided atthe client side, because the substructures passing through the node withthe anonymization module 108 will be transformed by that module 108. Theresulting structure may be saved in a database (not shown in thefigures).

In a particular instance, the anonymization module 108 obtains from theclient a structure not divided into substructures by the modificationmodule 110 of the client (for example, the structure of a request forthe server), in which case the anonymization module 108 for thetransmission to the server identifies in the obtained structure thesubstructures containing PD and performs a transformation of the data ofthe substructures; examples are given below.

The described system 100 is used for the anonymization of requests beingdispatched to the server 104 and responses to these requests beingdispatched to the client 102, and also for obtaining data from clients102 which is used for the construction of statistics.

FIG. 2 is a block diagram showing exemplary operations according to amethod of routing data in a client-server architecture, which is used ina particular instance for obtaining data from clients for theconstruction of statistics. In step 200 the modification module 110(e.g., executing on the client 102) divides the structure 201 intendedfor dispatch to the server in accordance with criteria, one suchcriterion possibly being the presence of PD in the structure, and as aresult of the division there is obtained a substructure containing PD(in FIG. 2 this is substructure 1, for example) and one not containingPD (in FIG. 2 this corresponds to substructure 2). Here and below, as anexample of the criterion we shall use the presence of PD, and not thepresence of critical or confidential data, even though what is valid forPD is also valid for critical or confidential data in general in theexample aspect of the present disclosure in the context of the presentapplication. In a particular instance, there may be more than onesubstructure of the first and second type, as well as more than onecriterion by which the division is performed.

In step 210 the modification module 110 dispatches (i.e., transmits) theobtained substructures to the server 104, the dispatching occurring byvarious routes (route A and route B), where one of the routes (e.g.,Route A) includes the network node 106 with the anonymization module108. In an aspect, the modification module 110 may determine at leasttwo routes for dispatching the at least two data substructures based onpersonal data contained in the one of the data substructures. Thenetwork node 106 is situated in a regional network different from thenetwork where the server 104 is located and not in the same intranet asthe server or the client 102. When one of the substructures intended fordispatch to the server contains PD, the substructures will be directedto the server via the node with the anonymization module 108 (route A).

Then, in step 220, the substructures passing through the node 106 withthe anonymization module 108 are transformed by that module 108 and thensent to the server 104 (step 221) in a transformed state. In the generalcase, the substructures from the same client are transformed differentlyat different moments in time. For example, a substructure having aclient identifier sent at a first time period is transformed to includean anonymized identifier (AnonymizedID1) which is different a subsequentanonymized identifier (AnonymizedID2) from a substructure sent at asecond time even if it came from the same client and had the same clientidentifier (i.e., Client ID→AnonymizedID1≠AnonymizedID2≠AnonymizedID3and so on), and this may pertain to all the examples. In a particularcase, when it is necessary, for certain security systems, to assembleinformation (construct statistics) on a particular client, thetransformation will be identical for a substructure from the same client(for example, Client ID→AnonymizedID1=AnonymizedID2=AnonymizedID3 and soon).

In conclusion, in step 230 the substructures obtained from the clientare combined into a structure 231 (Structure′). Clearly, the resultingstructure (Structure′) is different from the original one, since atleast one substructure has been transformed by the anonymization module108. The resulting structure 231 will also be used in the database bythe infrastructure at the server side. The infrastructure and databaseare omitted from the figure for clarity of illustration. Individualinfrastructure elements such as a request processor 302 and an attackdetection module 602 are indicated in other figures. The transformationof the substructures and/or data of the substructures by theanonymization module 108 is conducted in such a way as to exclude thepossibility of an inverse transformation of the substructures and/ordata of the substructures by any means other than the means of thenetwork node 106 with the anonymization module 108.

FIG. 3 shows a routing method which is used, in a particular instance,for executing a request 301 of the client in relation to the server. Instep 300 the request generated at the client side is dispatched by themodification module 110 from the client 102 to the server 104, the routeincluding the network node 106 with the anonymization module 108, saidnode being situated in a regional network different from the networkwhere the server is located and not being in the same intranet with theserver or the client. In a particular instance, some of the request data(not containing confidential data) may be transformed by themodification module 110 at the client side, and the transformation maybe carried out such that it is impossible for the anonymization module108 to perform the inverse transformation (step 311 in FIG. 4) and onlythe server 104 can perform the inverse transformation (step 325 in FIG.4). By way of example, the transformation and inverse transformation maybe performed using asymmetrical encryption techniques, where the client102 has a public key and the server 104 has a private key. As usedherein, unless otherwise indicated, the term “transformation” refers toa forward transformation.

Next, in step 310, the anonymization module 108 identifies substructuresin the data structure of the request intended for dispatches to theserver in accordance with criteria, one such criterion possibly beingthe presence of PD, and obtaining as a result of the identification asubstructure containing PD (in FIG. 3, by analogy with the previousexample, this is Substructure 1) and one not containing PD (in FIG. 3this is Substructure 2). In step 320, the anonymization module 108 isused to perform a transformation (a forward transformation from originalto transformed) of the data substructure (and/or the data in thesubstructure) containing PD, and the anonymization module 108 is used todispatch the resulting data structure of the request with thetransformed substructure containing PD to the server (step 321).

In response to the request received, the server in step 330 generates aresponse 323 using a request processor 302. In regards to the data ofthe request which may have been transformed by the client 102 in aparticular instance, the server 104 first performs an inversetransformation (step 325 in FIG. 4, as described later). The datastructure 323 of the response to the request, in the example with PD,will contain substructures: (1) at least one substructure(s) containingPD transformed by the anonymization module 108 (Substructure 1′,extracted from the request structure); and at least one substructure(s)not containing PD (substructure 3, containing the body of the responseto the request or the payload of the response).

The data not containing PD (substructure 3) may be transformed (forwardtransformation) without the possibility of an inverse transformation bythe anonymization module 108 (Substructure 3′), this being done in step340. The inverse transformation of this data may only be performed bythe modification module 110 of the client (e.g., asymmetrical encryptionin which the server has a public key and the client a private key), instep 350 the resulting data structure 324 of the response to the requestis dispatched from the server to the network node with the anonymizationmodule 108. The anonymization module 108 in step 360 is used to performthe inverse transformation of the data substructures of the response 324to the request containing PD (substructure 1′). The inversetransformation is done with respect to the data which was transformed instep 320 (inverse transformation from transformed data to original datacontained initially in the request from the client). The obtained datastructure is redirected to the client (step 370) and the modificationmodule 110 of the client in step 380 is used to perform the inversetransformation of the data substructures of the response to the requestnot containing PD that were transformed by the server in step 340. As aresult, the client 102 generates a data structure 381 containing datasubstructures of the response to the request not containing Ptransformed by the server.

FIG. 4 shows a variant of the method shown in FIG. 3, but in thisvariant step 310 for identifying the substructures is performed not bythe anonymization module 108, but by the modification module 110 of theclient, followed by transformation of the substructure in step 311. Byanalogy with the variant in FIG. 3, the substructure not containing PD(substructure 2) is subjected to the transformation. Therefore, step300′ in FIG. 4 differs from the analogous step 300 of the method in FIG.3 in that it is not the original data structure of the request which issent to the node with the anonymization module 108, but rather thetransformed structure 412 after performing steps 310 and 311.Accordingly, in this variant, step 325 is added, where there isperformed at first an inverse transformation of the substructure (in theexample, Substructure 2′, not containing PD) that was transformed instep 311, before performing step 330.

FIG. 5 shows a variant of the method of data routing in a client-serverarchitecture in which steps 200 to 230 are analogous to the steps of themethod shown in FIG. 2, while steps 300 to 380 are analogous to thesteps of the method shown in FIG. 3. In a particular case, theSubstructure 2 before being dispatched directly to the server may firstbe transformed, by analogy with step 311 in FIG. 4, and then step 325 isadded in the diagram of the method, besides step 311.

In a particular instance, in all aspects of the method shown in FIG.3-FIG. 5 the data structure dispatched to the client 102 by the node 106with the anonymization module 108 in step 370 does not contain a datasubstructure with PD (in the examples, Substructure 1). Thatsubstructure needs to be saved until this step, in order to determinethe addressee of the response; after this, there is no need for it inthe particular instance.

FIG. 6a shows exemplary operations of the method shown in FIG. 2. Theclient 102 is communicatively connected to a system for remote detectionof targeted attacks, such as an attack detection module 602, located onthe server side. To permit full operation of the attack detection module602, it may be necessary to obtain information from the client 102 as tofiles with malicious code (malicious files) detected at various timesand to construct statistics on the basis of the information obtained(often, in compliance with the national legislation on personal datathis still needs to be done anonymously). Upon detecting several suchmalicious files based on information received from the client, aconclusion is made at the server side that a targeted attack has beendetected on the client.

For the transmission of information to the server pertaining to themalicious file detected, the client 102 generates a data structure 601which includes a client identifier (“clientID”) and informationpertaining to the malicious file detected (“MD5”) of the malicious filedetected. In step 200 the modification module 110 divides the generatedstructure 601 intended for dispatch to the server into substructures,obtaining as a result of the division a substructure containing theClient ID and a substructure containing the MD5 of the file. In order toknow which structure the substructures pertain, they are assigned anidentifier (in the figure the identifier is denoted as StructureID). Instep 210 the modification module 110 of the client transmits theobtained substructures to the server 104, the transmission occurring bydifferent routes (route A and route B), where one of the routes (routeA) includes a network node 106 with the anonymization module 108, saidnode 106 being situated in a regional network different from the networkwhere the server is located, and not being in the same intranet as theserver or the client. The substructure containing the Client ID isdirected to the server 104 across the node 106 with the anonymizationmodule 108 (route A). In step 220 the anonymization module 108 performsthe transformation of the client ID, where the client ID is saved at thenode, and replaces it in the substructure with the token AnonymizedID(in a particular instance, the client ID may be encrypted). The obtainedsubstructure is dispatched to the server (step 221). In conclusion, instep 230 the substructures received from the client are combined into astructure 603. Clearly, the resulting structure 603 differs from theoriginal one (601), since at least one substructure was transformed bythe anonymization module 108. The resulting structure 603 is saved atthe server 104 (or in any given database of the infrastructure to whichthe server belongs) and will be used by the server to assembleinformation (denoted in the figure as STATISTICS) on the client 102 fromwhom the structure was obtained. In step 240 the assembled informationwill be used by the attack detection module 602 and if the attackdetection module 602 detects an attack then in step 250 the attackdetection module 602 generates a data structure 623 containing asubstructure with the AnonymizedID and a substructure containinginformation on the attack (denoted in the figure as AttackID); theobtained structure 623 will be addressed to the client to give notice ofthe attack.

An example of the method of dispatching is shown in FIG. 6b , steps 340to 380 being analogous to the steps of the example shown in FIG. 8. In aparticular instance, information about the attack might not betransformed, but rather be dispatched in open form; in that case, theexample will lack the steps 340 and 380. In the aspects shown in FIG. 6bas well as in the other Figures of the present disclosure, optional andalternative aspects are depicted in dashed outline or in a light,italicized font style, such as the clientID field in the obtainedresponse in step 370.

FIG. 7 shows another example operation of the present disclosure. Theclient device 102 has detected a new file, which needs to be scanned forthe presence of malicious code by the server 104. For this, it isnecessary to dispatch information about the file to the server, in thepresent example this being the file's MD5, for which the clientgenerates a request data structure 701. For this purpose, in order totell the server to whom the response should be dispatched, themodification module 110 (e.g., executing at the client 102) inserts inthe request data structure 701 a client ID, such that the request datastructure 701 includes the client ID and the file MD5. In step 300 thegenerated request is dispatched by the modification module 110 to theserver, the route including the network node 106 with the anonymizationmodule 108, said node being situated in a regional network differentfrom the network where the server is located, and not being in the sameintranet as the server or the client. Next, in step 310, theanonymization module 108 identifies substructures in the structure 701intended for dispatch to the server, obtaining as a result of theidentification a substructure containing the client ID and asubstructure containing the file's MD5. In step 320, the anonymizationmodule 108 performs a transformation of the client ID, where the clientID is saved at the node 106, and this is replaced in the substructure bythe token AnonymizedID (in a particular instance, the client ID may beencrypted). The obtained data structure of the request with thetransformed substructure is dispatched to the server (step 321). Aresponse 723 to the request received is generated in step 330 by therequest processor 302 of the server 104. The request processor 302extracts from the structure the file MD5 and issues a verdict indicatingthat the file under analysis at the client is malicious, for example,“MD5-BAD”. The data structure 723 of the response to the requestcontains the following substructures: (1) at least one substructurecontaining the token AnonymizedID (or the client ID encrypted by theanonymization module 108); and (2) at least one substructure containinga verdict for the file (MD5BAD).

In this regard, the verdict in step 340 is transformed by the server 104without possibility of an inverse transformation by the anonymizationmodule 108, for example by encrypting it with a public key (thetransformed verdict is denoted in the figure as EncryptedVer), theprivate key is kept at the client, and the inverse transformation mayonly be performed by the modification module 110 of the client. In step350 the obtained data structure 724 of the response to the request isdispatched from the server to the network node 106 with theanonymization module 108. The anonymization module 108 in step 360performs the inverse transformation of the data substructure of theresponse 724 to the request containing the token AnonymizedID by theanonymization module 108, where in the case of a token the token isreplaced by the previously saved client ID, and in the case where theclient ID was encrypted it is then decrypted. Thus, the transformationis performed with regard to the data which was transformed in step 320.The obtained data structure is redirected to the client (step 370) andthe modification module 110 of the client in step 380 performs theinverse transformation of the verdict transformed by the server in step340; in the example, it is decrypted with the aid of the private key. Ina particular instance, AnonymizedID is for the same client ID, but theywill be different in different transmissions.

FIG. 8 shows a variant of the example shown in FIG. 7. In this variantthe step 310 after identification of the substructures is performed notby the anonymization module 108, but by the modification module 110 ofthe client 102 with later transformation of the substructure savinginformation about the file (the MD5 of the file) by encryption with thepublic key (in the figure the transformed information about the file isdenoted as EncryptedMD5); the private key is kept at the server and theinverse transformation may be performed only at the server. Thus, step300′ of the example in FIG. 8 differs from the analogous step of theexample in FIG. 7 in that it is not the original structure of therequest (e.g., 801) which is sent to the node with the anonymizationmodule 108, but rather the transformed one (data structure 812), afterperforming steps 310 and 311. Accordingly, therefore, step 325 is added,where prior to performing step 330 an inverse transformation is done forthe encrypted information about the file by decrypting it with the aidof the private key.

FIG. 9 shows an example of data routing in a client-server architecturein which steps 200 to 230 are analogous to the steps of the exampleshown in FIG. 6a , while steps 330 to 380 are analogous to the steps ofthe example shown in FIG. 7. In a particular instance, the informationabout the file may first be transformed prior to being dispatcheddirectly to the server, by analogy with step 311 in the example of FIG.8, so that step 325 is added in the example, besides step 311.

The modification module 110 of the client intercepts the structures 901intended for dispatch to the server, divides these structures inaccordance with established rules, and selects routes for thesesubstructures also in accordance with rules. The rules by which themodification module 110 functions are established in a particularinstance according to one or more information technology policiesconfigured to comply with the existing regulations and legislation inthe jurisdiction of which the client device 102 (the source) isoperating. Therefore, in order to apply the rules the modificationmodule 110 of the client determines the location of the device (source),the type of data in the formed data structure 901, the purpose of thedata structure (e.g., the type of transmission: request or statistics,where dispatching of data to the server for compilation of statistics atthe server side), the location of the data recipient. On this basis inaccordance with the rules the modification module 110 selects the routefor the data, the division variant, and the method of transformation atthe client side. One variant of formalized rules is presented in Table 1seen in FIG. 15, where the “Method” column indicates the correlatedmethod for transforming can include the following approaches: “Method 1”is characterized as including the division of a data structure at theclient side (see 2); “Method 2” is characterized as including theidentification of the data structure at the node with the anonymizationmodule 108 (see FIG. 3); “Method 3” is characterized as including theidentification of the data structure at the client side (see FIG. 4).

As indicated above, the rules may be dictated by the requirements ofregulations/legislation (such as the GDPR) and just as any given legalnorm includes a hypothesis and a disposition, so too in algorithmiclanguage there is a corresponding if—then construction. Thus, theprovided Table 1 formalizes a rule in the following format:

-   -   IF [type, source, recipient, personal data (yes/no)], THEN        [method, location of anonymization node, method of        transformation for the data]

Listing 1: Example Rule Format

Consider an example data structure, in which the modification module 110determines that: the type of transmission is a request, the source(client) is Germany, the recipient (server) is the Russian Federation,and the structure contains personal data. In accordance with the rules,the modification module 110 identifies the substructure with PD at theclient side (as in step 310 of FIG. 4—method 2) and dispatches it viathe USA, encrypts the substructure without PD by the public key (as instep 311 of FIG. 4), and transforms the personally identifiableinformation by the anonymization module 108 by encryption.

FIG. 10 illustrates a variant system 1000 of anonymous data exchange ina client-server architecture, similar to the system shown in FIG. 1,except the system 1000 includes a network node 1002 with a storagemodule 1004. The storage module 1004 may include one or more storagedevices. The network node 1002 with the storage module 1004 is situatedin a regional network 107 different from the regional network in whichthe server is located and is not in the same intranet as the server orthe client. In a particular instance, the network node 1002 with thestorage module 1004 may be in the same regional network as the networknode 106 with the anonymization module 108; such as the network in FIG.10 indicated as “Regional Network N”. The purpose of the network node1002 with storage module 1004 is to hide the external IP address of theclient 102 from the server 104 and relieve the burden of the node 106where the anonymization module 108 is located, so that the volume oftraffic passing through the node 106 with the anonymization module 108is reduced. The network node 1002 with the storage module 1004 is anintermediate repository for data being exchanged by the client with theserver.

The system 1000 shown in FIG. 10 is used for the anonymous exchange ofdata between a client and a server, including for the transmission ofdata from clients which are used to construct statistics and forclient-server interaction of the “request-response” type. FIG. 11 showsthe method of anonymous exchange of data between a client and a server,which in a particular instance is used to obtain data from clients forthe construction of statistics on the server side. The steps 200, 221,220, 230 are analogous to the steps shown in FIG. 2. Step 210′ differsfrom the analogous one and step 222 is added. In FIG. 2 route B wentdirectly from client to server, but in the aspect being described inFIG. 11 this route is broken up, and the client dispatches Substructure2 not to the server, but to the node with the storage module 1004. Then,in step 222 this substructure will be received by the server. Theinitiator of the transmission of this substructure to the server in step222 may be either the node 1002 with the storage module 1004 or theserver 104, which downloads the Substructure 2 on demand when itreceives via route A the Substructure 1′ with the identifier ofSubstructure 2 that was saved by the network node 1002 with storagemodule 1004.

FIG. 12 shows a method of data exchange which is used in a particularinstance for executing a request of a client to the server. The steps200, 221, 220, 230 are analogous to the steps shown in FIG. 2, the steps210′, 222 are analogous to the steps shown in FIG. 11, the step 330 isanalogous to this same step in FIG. 3. Thus, the dispatching of arequest to the server is analogous to the dispatching of data to theserver for the construction of statistics, as shown in FIG. 11; thedistinctions from all that was described above include how the response,prepared in step 330, is dispatched. The structure of the response tothe request, generated in step 330, is broken up into at least twosubstructures in step 331: (1) at least one substructure containing PDtransformed by the anonymization module 108 (e.g., Substructure 1′,extracted from the request structure); and (2) at least one substructurenot containing PD (substructure 3, containing the body of the responseto the request or the payload of the response).

In step 350 a the substructure containing PD is dispatched from theserver 104 to the 106 node with the anonymization module 108, where instep 360 a transformation will be performed which is the inverse of thetransformation performed in step 220. The substructure not containing PD(in FIG. 12 Substructure 3) is dispatched in step 350 b to the networknode 1002 with the storage module 1004. Next, the substructure notcontaining PD will be sent to the client in step 371. Variants wherebythe client receives the substructure in step 371 may be different. Ifstep 350 a is carried out, then after the transformation in step 360 thenode with the anonymization module 108 will dispatch a notification(message) to the client in step 370 a that the response is ready; afterthis, the client accesses the node with the storage module 1004 andreceives the substructure not containing PD from the node with thestorage module 1004. The notification in step 370 a may contain, forexample, a unique identifier assigned to the Substructure 3 in theprocess of dividing the structure of the response to the request in step331, the substructure with this identifier being requested by the clientfrom the network node 1002 with the storage module 1004. In a particularinstance, steps 350 a, 360, 370 a might not be performed. In this case,the identifier assigned to the substructures in the process of divisionin step 200 will be analogous to the identifier assigned in step 331 andthe client in step 371 will obtain the Substructure 3 by periodicallypolling the node with the storage module 1004 as to the arrival there ofthe substructure with the corresponding identifier. If steps 350 a, 360,370 a are not performed, the structure of the response to the request isidentical to the substructure not containing PD (substructure 3), towhich a unique identifier is assigned. In another particular instance,the node with the storage module 1004 independently dispatches theSubstructure 3 to the client in step 371; in this case, the sessionidentifier is used, which was established between the client and thenode with the storage module 1004 to carry out step 210; in the givencase, the unique identifiers assigned to the substructures in steps 200and 331 are equal and they are equal to the session identifier. In thiscase, when the node receives the Substructure 3 in step 350 b, it willread the identifier of Substructure 3 and forward it to the client whosesession has the same identifier; the primary condition for theperformance of this variant is the maintaining of the session betweenclient and node with the storage module 1004 until the end of the dataexchange between the client and the server when executing the requestand dispatching the response.

In a particular instance, the scheme described in FIG. 12 may operate inan asynchronous mode; in this case, step 330 is carried out withoutperforming step 230, the data of Substructure 2 is used, and theobtained Substructure 3, omitting step 331, is dispatched to the nodewith the storage module 1004 (step 350 b). Step 230 will be performedindependently of step 330. Such a mode increases the speed of theserver's reaction and is used in the event that only the data containedin the substructure not containing CD is needed for the processing ofthe request. A combining of the substructures (step 230) in such casesis only necessary to construct statistics, as in the example shown inFIG. 12 a.

FIG. 13 shows an example of the use of the method illustrated in FIG. 12in order to obtain a verdict (dangerous/malicious or safe) for a filedetected on the client side from the server. For the transmission to theserver of information about the detected file (in the present example,the information about the file is the MD5 of the file), a data structureis generated which includes the client ID and the MD5 of the detectedfile. In step 200 the modification module 110 divides the generatedstructure, intended for transmission to the server, into substructures,obtaining as a result of the division a substructure containing theclient ID and a substructure containing the MD5 of the file; in order toknow the structure to which the substructures pertain, they are assignedan identifier (in the figure the identifier is denoted as StructureID).In step 210 the modification module 110 of the client dispatches theobtained substructures. The dispatching is done by different routes(route A and route B) and to different recipients. By route A thesubstructure is dispatched to the server, route A including the networknode with the anonymization module 108, said node being situated in aregional network different from the network where the server is located,and not being in the same intranet as the server or the client. Thesubstructure containing the client ID is sent to the server via the nodewith the anonymization module 108 (route A). By route B the substructureis dispatched to the network node 1002 with the storage module 1004,said node being situated in a regional network different from thenetwork where the server is located, and not being in the same intranetas the server or the client. The substructure containing the MD5 of thefile is sent to the network node 1002 with the storage module 1004(route B). In step 220 the anonymization module 108 is used to perform atransformation of the client ID, where the client ID is saved at thenode, and it replaces this in the substructure with the tokenAnonymizedID (in a particular instance, the client ID may be encrypted).The obtained substructure is dispatched to the server (step 221). Instep 222 the substructure with the MD5 of the file will be received bythe server. If the method is carried out in synchronous mode, then instep 230 the substructures obtained by the server in step 221 and step222 will be combined and the response will be processed in step 330. Inthe example, MD5 will be scanned by a database of malicious and safefiles and the results of the scan will produce a verdict and generate aresponse to the request (in the given example, the file proved to bemalicious—MD5-BAD). The generated response to the request is divided instep 331 into two substructures, as a result of the division one obtainsa substructure containing the client ID and a substructure containingthe verdict (MD5), in order to know the structure to which thesubstructures pertain, they are assigned an identifier (denoted in thefigure as StructureID); in a particular instance, the identifier may beidentical to the identifier assigned to the substructures in step 200.In step 350 b the substructure with the verdict is dispatched to thenetwork node 1002 with the storage module 1004, which either forwardsthe substructure to the client in step 371 (if StructureID correspondsto the session ID between the node and the client established in step210), or saves until needed. This substructure may be needed by theclient in the event of it receiving a notification from the node withthe received anonymization module 108 of the clients as a result of theexecution of steps 350 a, 360, 370 a. In another aspect, the client mayconstantly poll the network node 1002 with the storage module 1004 as tothe presence of the response substructure at the node (in this case, theStructureID assigned to the substructures in steps 200 and 331 should beidentical). In step 372 the client processes the response. If the methodis carried out in asynchronous mode (FIG. 13a ), then step 230 and step330 are performed independently. The StructureID in step 330 does notchange and is identical to the StructureID in step 200, and in aparticular instance is equal to the session ID between the client andthe node with the storage module 1004 of step 210, in which context atransmission of the substructure will also take place in step 371.

Aspects of the present disclosure make it possible to decentralize thedata coming from a client, which provides anonymity for the user whosedevice is the client; the data being exchanged by the client with theserver cannot be associated with the client upon accessing the server.Some of the data is known only to the server, some only to the networknode with the anonymization module 108, and the data cannot bede-anonymized without simultaneous access to these system components,while the impossibility of simultaneous access to the components,including by government structures, is assured by distributing thesystem components among different regional networks, differing both ingeographical respect and in respect of territorial jurisdiction. Aspectsof present disclosure, when utilizing a node with a storage module 1004,also allow the external IP address of the client to be hidden from theserver (the server does not pick up the substructure directly from theclient, but instead via the node with the storage module 1004), and alsoreduces the burden on the node with the anonymization module 108.

In certain cases, after the data structure has been divided into twodata substructures, one of which contains confidential data, it becomesnecessary to further divide the given substructure. This is done, in oneparticular instance, when the data are critical only when foundtogether, e.g., the IP address and the time stamp are together personaldata; having divided the substructure in which this linkage is foundinto a substructure with the IP address and a substructure with the timestamp, the data lose their personal attribute and may be processed bythe node, not having the ability to combine these structures, with norestrictions placed by legislation on the processing of critical (in thegiven case, personal) data. But in such a case the mechanism of sendingthe data to the server is more complex.

FIG. 14 shows a method of transmitting critical data in a client-serverarchitecture which is used in a particular instance for obtaining datafrom clients for the construction of statistics. It is understood thatcertain individual infrastructure elements (e.g., the request processor,the attack detecting module, database) indicated in other figures areomitted from FIG. 14 for clarity purposes only.

In step 200, the modification module 110 (e.g., executing on the clientdevice 102) divides the structure intended for transmitting to theserver 104 in accordance with criteria, one such criterion may be thepresence of critical (e.g., confidential, including personal) data inthe structure. As a result of the division, there are obtained a firstdata substructure containing critical data (this being substructure 1for the example in FIG. 14) and a second data substructure notcontaining such data (this being substructure 2, correspondingly, inFIG. 14). In step 201, the modification module 110 additionally dividesthe substructure containing critical data into at least twosubstructures (this being substructure 3 and substructure 4 for theexample in FIG. 14). In step 210, the modification module 110 sendssubstructure 2 to the server by route B. In step 211, the substructuresobtained during the dividing of the substructure containing criticaldata are sent in succession by another route, different from route B,where the alternative route includes a network node with atransformation module (this is route A in the example of FIG. 14), andbeing located in a particular instance in a regional network differentfrom the network where the server is located and not being in the sameintranet with the server or the client.

Next, in step 220 the substructures passing through the node 106 withthe transformation module are transformed by that module and sent onwardto the server (step 223) in transformed state. In the general case, thesubstructures from the same client can be transformed differently atdifferent moments of time (for example, ClientID→AnonymizedID1≠AnonymizedID2≠AnonymizedID3 and so forth). This appliesto all examples, but in a particular instance the transformation will beidentical (e.g., Client ID→AnonymizedID1=AnonymizedID2=AnonymizedID3 andso forth) when for certain security systems it is necessary to gatherinformation (construct statistics) on a particular client for asubstructure from the same client. Finally, in step 230, thesubstructures obtained from the client are combined into a datastructure (Structure′). The final data structure (Structure′) is clearlydifferent from the original one, since at least two substructures havebeen transformed by the anonymization module 108. The final structure inthe database will also be used by the infrastructure module on theserver side, for example to construct a profile. The transformation ofthe substructures and/or the data of the substructures by thetransformation module is done by a method precluding the possibility ofan inverse transformation of the substructures and/or the data of thesubstructures by any modules other than the modules of the network nodewith the transformation module.

FIG. 14a shows an example of the implementation of a method oftransmitting critical data. On the client side, a structure is generatedfor sending to a server, the structure contains the IP address of theclient, a time stamp (TimeStamp) and the MD5 of a certain file. In step200, the modification module 110 divides the structure intended forsending to the server, as a result of the dividing there are obtained: asubstructure containing the IP address and the time stamp, and asubstructure containing the MD5 of the file. In step 201, themodification module 110 further divides the substructure containing theIP address and the time stamp into two substructures (in FIG. 14a thisis the substructure with the IP address and the substructure with thetime stamp). In order to know which substructure containing the MD5 isrelated to the IP substructure and the TimeStamp substructure, they areassigned identifiers (in the figure, the identifiers are denoted asStructureID1, StructureID2) and these same identifiers are placed in theMD5 substructure. In step 210, the modification module sends thesubstructure with the MD5 to the server by route B, and in step 211 itsends consecutively the substructure with the IP address and thesubstructure with the time stamp by another route, different from routeB, where the alternative route includes a network node 106 with atransformation module 108 (in the example of FIG. 14a this is route A),where the node with the transformation module is located in a particularinstance in a regional network different from the network in which theserver is located, and not being in the same intranet as the server orthe client. Then, in step 220, the substructure with the IP address andthe substructure with the time stamp are transformed and sent onward tothe server (step 223) in transformed form. The transformation is done asthe substructures are received. At the conclusion, in step 230, thesubstructures received from the client are combined into a structurecontaining the transformed IP address, the transformed time stamp, andthe MD5.

By the modification module, the anonymization module, the combiningmodule, the request processor, the attack detection module, and thestorage module are meant in the present disclosure real-world devices,systems, components, groups of components, realized with the use ofhardware such as integrated microcircuits (application-specificintegrated circuit, ASIC) or a field-programmable gate array (FPGA) orfor example in the form of a combination of software and hardware, suchas a microprocessor system and a set of program instructions, and alsoon the basis of neuromorphic chips (neurosynaptic chips). Thefunctionality of said means may be realized solely by hardware, and alsoin the form of a combination, where some of the functionality isrealized by software and some by hardware. In certain variant aspectsthe modules may be executed on the processor of a computer (such as theone shown in FIG. 16). The databases may be realized by every possiblemethod and may be contained either on a single physical medium or ondifferent ones, both local and remote.

FIG. 14 is a block diagram illustrating a computer system 20 on whichaspects of systems and methods for transmitting critical data in aclient-server architecture may be implemented in accordance with anexemplary aspect. It should be noted that the computer system 20 cancorrespond to the client 102, server 104, network nodes 106 and 1002,for example, described earlier. The computer system 20 can be in theform of multiple computing devices, or in the form of a single computingdevice, for example, a desktop computer, a notebook computer, a laptopcomputer, a mobile computing device, a smart phone, a tablet computer, aserver, a mainframe, an embedded device, and other forms of computingdevices.

As shown, the computer system 20 includes a central processing unit(CPU) 21, a system memory 22, and a system bus 23 connecting the varioussystem components, including the memory associated with the centralprocessing unit 21. The system bus 23 may comprise a bus memory or busmemory controller, a peripheral bus, and a local bus that is able tointeract with any other bus architecture. Examples of the buses mayinclude PCI, ISA, PCI-Express, HyperTransport™, InfiniBand™, Serial ATA,I²C, and other suitable interconnects. The central processing unit 21(also referred to as a processor) can include a single or multiple setsof processors having single or multiple cores. The processor 21 mayexecute one or more computer-executable code implementing the techniquesof the present disclosure. The system memory 22 may be any memory forstoring data used herein and/or computer programs that are executable bythe processor 21. The system memory 22 may include volatile memory suchas a random access memory (RAM) 25 and non-volatile memory such as aread only memory (ROM) 24, flash memory, etc., or any combinationthereof. The basic input/output system (BIOS) 26 may store the basicprocedures for transfer of information between elements of the computersystem 20, such as those at the time of loading the operating systemwith the use of the ROM 24.

The computer system 20 may include one or more storage devices such asone or more removable storage devices 27, one or more non-removablestorage devices 28, or a combination thereof. The one or more removablestorage devices 27 and non-removable storage devices 28 are connected tothe system bus 23 via a storage interface 32. In an aspect, the storagedevices and the corresponding computer-readable storage media arepower-independent modules for the storage of computer instructions, datastructures, program modules, and other data of the computer system 20.The system memory 22, removable storage devices 27, and non-removablestorage devices 28 may use a variety of computer-readable storage media.Examples of computer-readable storage media include machine memory suchas cache, static random access memory (SRAM), dynamic random accessmemory (DRAM), zero capacitor RAM, twin transistor RAM, enhanced dynamicrandom access memory (eDRAM), extended data output random access memory(EDO RAM), double data rate random access memory (DDR RAM), electricallyerasable programmable read-only memory (EEPROM), NRAM, resistive randomaccess memory (RRAM), silicon-oxide-nitride-silicon (SONOS) basedmemory, phase-change random access memory (PRAM); flash memory or othermemory technology such as in solid state drives (SSDs) or flash drives;magnetic cassettes, magnetic tape, and magnetic disk storage such as inhard disk drives or floppy disks; optical storage such as in compactdisks (CD-ROM) or digital versatile disks (DVDs); and any other mediumwhich may be used to store the desired data and which can be accessed bythe computer system 20.

The system memory 22, removable storage devices 27, and non-removablestorage devices 28 of the computer system 20 may be used to store anoperating system 35, additional program applications 37, other programmodules 38, and program data 39. The computer system 20 may include aperipheral interface 46 for communicating data from input devices 40,such as a keyboard, mouse, stylus, game controller, voice input device,touch input device, or other peripheral devices, such as a printer orscanner via one or more I/O ports, such as a serial port, a parallelport, a universal serial bus (USB), or other peripheral interface. Adisplay device 47 such as one or more monitors, projectors, orintegrated display, may also be connected to the system bus 23 across anoutput interface 48, such as a video adapter. In addition to the displaydevices 47, the computer system 20 may be equipped with other peripheraloutput devices (not shown), such as loudspeakers and other audiovisualdevices

The computer system 20 may operate in a network environment, using anetwork connection to one or more remote computers 49. The remotecomputer (or computers) 49 may be local computer workstations or serverscomprising most or all of the aforementioned elements in describing thenature of a computer system 20. Other devices may also be present in thecomputer network, such as, but not limited to, routers, networkstations, peer devices or other network nodes. The computer system 20may include one or more network interfaces 51 or network adapters forcommunicating with the remote computers 49 via one or more networks suchas a local-area computer network (LAN) 50, a wide-area computer network(WAN), an intranet, and the Internet. Examples of the network interface51 may include an Ethernet interface, a Frame Relay interface, SONETinterface, and wireless interfaces.

Aspects of the present disclosure may be a system, a method, and/or acomputer program product. The computer program product may include acomputer readable storage medium (or media) having computer readableprogram instructions thereon for causing a processor to carry outaspects of the present disclosure.

The computer readable storage medium can be a tangible device that canretain and store program code in the form of instructions or datastructures that can be accessed by a processor of a computing device,such as the computing system 20. The computer readable storage mediummay be an electronic storage device, a magnetic storage device, anoptical storage device, an electromagnetic storage device, asemiconductor storage device, or any suitable combination thereof. Byway of example, such computer-readable storage medium can comprise arandom access memory (RAM), a read-only memory (ROM), EEPROM, a portablecompact disc read-only memory (CD-ROM), a digital versatile disk (DVD),flash memory, a hard disk, a portable computer diskette, a memory stick,a floppy disk, or even a mechanically encoded device such as punch-cardsor raised structures in a groove having instructions recorded thereon.As used herein, a computer readable storage medium is not to beconstrued as being transitory signals per se, such as radio waves orother freely propagating electromagnetic waves, electromagnetic wavespropagating through a waveguide or transmission media, or electricalsignals transmitted through a wire.

Computer readable program instructions described herein can bedownloaded to respective computing devices from a computer readablestorage medium or to an external computer or external storage device viaa network, for example, the Internet, a local area network, a wide areanetwork and/or a wireless network. The network may comprise coppertransmission cables, optical transmission fibers, wireless transmission,routers, firewalls, switches, gateway computers and/or edge servers. Anetwork interface in each computing device receives computer readableprogram instructions from the network and forwards the computer readableprogram instructions for storage in a computer readable storage mediumwithin the respective computing device.

Computer readable program instructions for carrying out operations ofthe present disclosure may be assembly instructions,instruction-set-architecture (ISA) instructions, machine instructions,machine dependent instructions, microcode, firmware instructions,state-setting data, or either source code or object code written in anycombination of one or more programming languages, including an objectoriented programming language, and conventional procedural programminglanguages. The computer readable program instructions may executeentirely on the user's computer, partly on the user's computer, as astand-alone software package, partly on the user's computer and partlyon a remote computer or entirely on the remote computer or server. Inthe latter scenario, the remote computer may be connected to the user'scomputer through any type of network, including a LAN or WAN, or theconnection may be made to an external computer (for example, through theInternet). In some embodiments, electronic circuitry including, forexample, programmable logic circuitry, field-programmable gate arrays(FPGA), or programmable logic arrays (PLA) may execute the computerreadable program instructions by utilizing state information of thecomputer readable program instructions to personalize the electroniccircuitry, in order to perform aspects of the present disclosure.

In various aspects, the systems and methods described in the presentdisclosure can be addressed in terms of modules. The term “module” asused herein refers to a real-world device, component, or arrangement ofcomponents implemented using hardware, such as by an applicationspecific integrated circuit (ASIC) or field-programmable gate array(FPGA), for example, or as a combination of hardware and software, suchas by a microprocessor system and a set of instructions to implement themodule's functionality, which (while being executed) transform themicroprocessor system into a special-purpose device. A module may alsobe implemented as a combination of the two, with certain functionsfacilitated by hardware alone, and other functions facilitated by acombination of hardware and software. In certain implementations, atleast a portion, and in some cases, all, of a module may be executed onthe processor of a computer system (such as the one described in greaterdetail in FIG. 16, above). Accordingly, each module may be realized in avariety of suitable configurations, and should not be limited to anyparticular implementation exemplified herein.

In the interest of clarity, not all of the routine features of theaspects are disclosed herein. It would be appreciated that in thedevelopment of any actual implementation of the present disclosure,numerous implementation-specific decisions must be made in order toachieve the developer's specific goals, and these specific goals willvary for different implementations and different developers. It isunderstood that such a development effort might be complex andtime-consuming, but would nevertheless be a routine undertaking ofengineering for those of ordinary skill in the art, having the benefitof this disclosure.

Furthermore, it is to be understood that the phraseology or terminologyused herein is for the purpose of description and not of restriction,such that the terminology or phraseology of the present specification isto be interpreted by the skilled in the art in light of the teachingsand guidance presented herein, in combination with the knowledge of theskilled in the relevant art(s). Moreover, it is not intended for anyterm in the specification or claims to be ascribed an uncommon orspecial meaning unless explicitly set forth as such.

The various aspects disclosed herein encompass present and future knownequivalents to the known modules referred to herein by way ofillustration. Moreover, while aspects and applications have been shownand described, it would be apparent to those skilled in the art havingthe benefit of this disclosure that many more modifications thanmentioned above are possible without departing from the inventiveconcepts disclosed herein.

What is claimed is:
 1. A computer-implemented method for transmittingcritical data between a client device and a server, comprising:dividing, at the client device, a first data structure intended fortransmission to the server into at least a first data substructurecontaining critical data and a second data substructure that does notcontain critical data, wherein the critical data comprises a pluralityof personal and related data items stored together in the first datasubstructure and having restrictions related to the gathering, storage,accessing, dissemination and processing thereof by laws of ajurisdiction in which the client device is located; when the criticalityof the data is based, at least in part, on finding at least two personaland related data items stored together in the first data substructure,dividing the first data substructure containing the critical data intoat least a third and a fourth data substructures and placing one of theat least two personal data items into the third data substructure andthe other of the at least two personal data items into the fourthsubstructure; transmitting the at least third and fourth datasubstructures to the server via a network node having a transformationmodule without being recombined; and transmitting the second datasubstructure not containing critical data to the server bypassing thenetwork node having the transformation module, wherein the second, thirdand fourth data substructures are combined into a second data structureat the server after being obtained, and wherein a primary transformationof the data substructures at the client is performed with no possibilityof an inverse transformation of the data by the transformation module,wherein the transformation module performs a secondary transformation ofthe data substructure passing through the network node with nopossibility of an inverse transformation at the server or the clientdevice.
 2. The method of claim 1, wherein the network node having thetransformation module is situated in a regional network different from aregional network in which the server is located, and not in a sameintranet with the server or the client.
 3. The method of claim 2,wherein the regional network of the network node having thetransformation module and the regional network of the server aresituated in different jurisdictions.
 4. The method of claim 1, thetransformation module of the network node is configured to transformeach data substructure in succession as the data substructure passesthrough the network node.
 5. The method of claim 4, wherein an originalcopy of the substructure and the transformed substructure are not savedat the node after the transformation.
 6. The method of claim 1, whereinthe transformation module is an anonymization module configured totransform each data substructure using an encryption algorithm.
 7. Themethod of claim 1, wherein the data of the second data substructure notcontaining critical data is transformed by the transformation moduleusing asymmetrical encryption using a private encryption key and apublic encryption key, where the public encryption key is sent to theclient device and the private encryption key is stored at the server. 8.A system for transmitting critical data between a client device and aserver, comprising: a memory device configured to store a first datastructure; a hardware processor communicatively coupled to the memorydevice, and configured to: divide a first data structure intended fortransmission to the server into at least a first data substructurecontaining critical data and a second data substructure that does notcontain critical data, wherein the critical data comprises a pluralityof personal and related data items stored together in the first datasubstructure having restrictions related to the gathering, storage,accessing, dissemination and processing thereof by laws of ajurisdiction in which the client device is located; when the criticalityof the data is based, at least in part, on finding at least two personaland related data items stored together in the first data substructure,divide the first data substructure containing the critical data into atleast a third and fourth substructures and place one of the at least twopersonal data items into the third data substructure and the other ofthe at least two personal data items into the fourth substructure;transmit the at least third and fourth substructures to the server via anetwork node having a transformation module without being recombined;and transmit the second data substructure not containing critical datato the server bypassing the network node having the transformationmodule, wherein the second, third and fourth data substructures arecombined into a second data structure at the server after beingobtained, and wherein a primary transformation of the data substructuresat the client is performed with no possibility of an inversetransformation of the data by the transformation module, wherein thetransformation module performs a secondary transformation of the datasubstructure passing through the network node with no possibility of aninverse transformation at the server or the client device.
 9. The systemof claim 8, wherein the network node having the transformation module issituated in a regional network different from a regional network inwhich the server is located, and not in a same intranet with the serveror the client.
 10. The system of claim 9, wherein the regional networkof the network node having the transformation module and the regionalnetwork of the server are situated in different jurisdictions.
 11. Thesystem of claim 8, the transformation module of the network node isconfigured to transform each data substructure in succession as the datasubstructure passes through the network node.
 12. The system of claim11, wherein an original copy of the substructure and the transformedsubstructure are not saved at the node after the transformation.
 13. Thesystem of claim 8, wherein the transformation module is an anonymizationmodule configured to transform a data substructure using an encryptionalgorithm.
 14. The system of claim 8, wherein the data of the first datasubstructure not containing critical data is transformed by thetransformation module using asymmetrical encryption using a privateencryption key and a public encryption key, where the public encryptionkey is sent to the client device and the private encryption key isstored at the server.
 15. A non-transitory computer readable mediumcomprising computer executable instructions for transmitting criticaldata between a client device and a server, including instructions for:dividing, at the client device, a first data structure intended fortransmission to the server into at least a first data substructurecontaining critical data and a second data substructure that does notcontain critical data, wherein the critical data comprises a pluralityof personal and related data items stored together in the first datasubstructure and having restrictions related to the gathering, storage,accessing, dissemination and processing thereof by laws of ajurisdiction in which the client device is located; when the criticalityof the data is based, at least in part, on finding at least two personaland related data items stored together in the first data substructure,dividing the first data substructure containing the critical data intoat least a third and a fourth data substructures and placing one of theat least two personal data items into the third data substructure andthe other of the at least two personal data items into the fourthsubstructure; transmitting the at least third and fourth datasubstructures to the server via a network node having a transformationmodule without being recombined; and transmitting the second datasubstructure not containing critical data to the server bypassing thenetwork node having the transformation module, wherein the second, thirdand fourth data substructures are combined into a second data structureat the server after being obtained, and wherein a primary transformationof the data substructures at the client is performed with no possibilityof an inverse transformation of the data by the transformation module,wherein the transformation module performs a secondary transformation ofthe data substructure passing through the network node with nopossibility of an inverse transformation at the server or the clientdevice.
 16. The non-transitory computer readable medium of claim 15,wherein the network node having the transformation module is situated ina regional network different from a regional network in which the serveris located, and not in a same intranet with the server or the client,wherein the regional network of the network node having thetransformation module and the regional network of the server aresituated in different jurisdictions.
 17. The non-transitory computerreadable medium of claim 15, the transformation module of the networknode is configured to transform each data substructure in succession asthe data substructure passes through the network node, wherein anoriginal copy of the substructure and the transformed substructure arenot saved at the node after the transformation.
 18. The non-transitorycomputer readable medium of claim 15, wherein the data of the seconddata substructure not containing critical data is transformed by thetransformation module using asymmetrical encryption using a privateencryption key and a public encryption key, where the public encryptionkey is sent to the client device and the private encryption key isstored at the server.